I have up to now only used WSUS for new installations, but since M$ obviously will not stop trying to infect my compters, I have completely disabled updates on all pc's since they started with the roll-up madness.I would therefore like to use WSUS for security patches, if I can be sure that the dirty stuff from M$ is not included.I have searched this forum several times to see if a solution have been found to filter the updates. I know that I can select "security updates only" but that is probably not enough to avoid the M$ spy/malware.All topics about this seems to end without a conclution.I therefore hope that someone will take time to explain me what I should do, and if there actually is a way to prevent M$ from infecting my Win7 computers (Other than keep updates disabled).

I'd suggest you to user wsusou's SecOnly-mode ("User security only updates instead of quality rollups"). Just tick the box in UpdateGenerator and UpdateInstaller and you should be on the safe side. MS currently did not put any telemetry updates (except for the rollups) into wsusscn2.cab, but that might change in the future (even if I don't think so).

You're not alone. Windows 10 would be a much greater success without forced updates and Telemetry shit.

Just note that Security-only updates are meant for corporations*, a user group MS will be shy to piss off (hopefully). So they are clean, for now. Also, they aren't cumulative, so you need all of them.

*That's the reason those SecOnly patches aren't available from Windows Update, normal users should normally not use it.

The Cumulative Security Update for IE11 is currently safe. For .NET, WOU installs the respective SecOnly packages exactly like for Windows, the checkbox in the GUI applies to both.

In case you despise Telemetry, the main update to avoid at all cost is KB2952664. There are several updates adding Telemetry points to various components of the system, however, they do nothing without the main update (the "engine" of the Telemetry car, so to speak). Of course, that's only valid for Windows components, many MS software programs can spy on their own (Defender, OneDrive, Skype etc.).

So, IE updates are cumulative?Does this mean there is no security updates only?

My pc's are completely free of any telemetry/Win10upgrade spyware/malware and it has been a big job to keep them so.Since M$ became totally unserious, I have gradually moved away from their software (Office ect.) and have now only Win7 and MSE left, and only use IE for special tasks.I use MSE because all other AV programs makes more harm than a virus.Windows 7 will be my last M$ product unless they magically get back on a serious track.I will now try to read about how to exclude certain updates in WSUS, since I have never done this before.